by Tim Leogrande, BSIT, MSCP, Ed.S.
MARCH 26 2026 • 6 MIN 6 SEC READ
The cybersecurity venture capital market experienced unprecedented growth in 2025, driven primarily by the rush to adopt AI-native security solutions and a surge in mergers and acquisitions (M&A) which reached record levels. According to data from investment bank Momentum Cyber, venture capital (VC) firms invested $119 billion in cybersecurity firms in 2025 across 400 transactions. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of the previous year.
While M&A set records for deal value, financing deals surpassed that volume, surging to 820 deals in 2025. AI security firms closed the most deals (144), with startups focusing on risk and compliance coming in a close second (137 deals).
<aside> đź’ˇ
This surge in investments is being driven by two trends. The almost exclusive focus by investment firms on AI-native cybersecurity solutions, and an urgent need to defend the dramatically expanding attack surfaces created by the growing use of AI in the workplace.
</aside>
Think of this as AI squared. While focused on AI-native security solutions, companies are also attempting to identify and secure the agents employees are using — often without the IT department’s permission or control. This situation is creating a major headache for chief security officers.
The tsunami of investments has continued into 2026, with January posting 38 M&A deals, the third-highest monthly count ever. This puts the market on pace for 477 M&A transactions this year. Startups focused on creating AI security tools, and on services to secure the AI supply chain and ecosystem, are producing enticing greenfield opportunities.
<aside> đź’ˇ
AI isn't just creating new products, it's changing the shape of the attack surface and the modus operandi of security teams at the same time.
</aside>
This combination is creating a robust tailwind for InfoSec entrepreneurs because clients are faced with urgent C-suite level problems, and the gap between 'good enough' and 'reliably resilient' is rapidly widening.
Investment dollars have generally followed two paths, depending on the source of the capital:
AI security is the top segment in terms of funding deals for startups, closely followed by risk management and compliance. Two of the three largest deals to date were announced in 2025, with Google announcing it would buy cloud security firm Wiz for $32 billion in March and Palo Alto Networks purchasing CyberArk for $25 billion in July.
Strategic buyers accounted for 92% of the M&A capital invested during 2025. While more than half of the deals didn’t report values, the aggregate of the 400 M&A transactions is estimated to exceed $96 billion. With businesses seeking quick ways to adopt AI — often despite well-documented security shortcomings — startups focused on finding approaches to bolster security and protect corporate data are taking off.
Not surprisingly, VC firms aren’t currently looking at AI to provide specific features, but to change the economics of cybersecurity. AI’s impact on M&A increased during 2025 because it can change unit economics and outcomes via better threat detection, faster triage, reduced analyst burnout, and broader security coverage with the same staffing headcounts.
Moving forward, enterprises must learn how to effectively govern how AI is used while also securing each new generation of bots. Workers may unintentionally input sensitive information into AI models, and these platforms are still widely vulnerable to prompt injection attacks.
<aside> đź’ˇ
In many ways, securing AI agents is like securing digital employees who operate at scale but lack security awareness.
</aside>
This analogy is becoming increasingly relevant as organizations begin assigning AI agents access to internal systems, APIs, and corporate data. Unlike traditional service accounts, AI agents may make autonomous decisions, interact with external systems, and generate new workflows dynamically. This creates new identity, access management, and monitoring challenges that existing security models were not explicitly designed to handle.